Full-Processor Timing Channel Protection with Applications to Secure Hardware Compartments

This paper presents timing compartments, an architecture abstraction that explicitly removes microarchitecture-level timing channels between groups of software running concurrently on a shared multi-core processor. The capability to eliminate timing channels coupled with conventional software isolation enables strong isolation comparable to running software on separate physical machines. This paper shows that such a strong timing isolation can be achieved by systematically removing timing interference in shared resources in a multi-core, and formally checked using information flow analysis on an RTL implementation. Through this systematic process, we identify and remove new sources of timing channels, including cache coherence mechanisms and module interfaces, and introduce new performance optimizations. We also demonstrate how timing compartments may be extended to support a hardwareonly TCB which ensures security even when the system is managed by an untrusted OS or hypervisor. Experimental studies show that the performance overheads of strict timing isolation can be surprisingly low for a small number of timing compartments; executing two timing compartments reduces system throughput by less than 7% on average and by less than 2% for compute-bound workloads.

[1]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[2]  Nael B. Abu-Ghazaleh,et al.  Non-monopolizable caches: Low-complexity mitigation of cache side channel attacks , 2012, TACO.

[3]  Joseph Bonneau,et al.  Cache-Collision Timing Attacks Against AES , 2006, CHES.

[4]  Ruby B. Lee,et al.  Architecture for protecting critical secrets in microprocessors , 2005, 32nd International Symposium on Computer Architecture (ISCA'05).

[5]  Jean-Pierre Seifert,et al.  On the power of simple branch prediction analysis , 2007, ASIACCS '07.

[6]  G. Edward Suh,et al.  AEGIS: architecture for tamper-evident and tamper-resistant processing , 2003, ICS.

[7]  Frederic T. Chong,et al.  Caisson: a hardware description language for secure information flow , 2011, PLDI '11.

[8]  Jean-Pierre Seifert,et al.  Deconstructing new cache designs for thwarting software cache-based side channel attacks , 2008, CSAW '08.

[9]  Wei Hu,et al.  Gate-Level Information Flow Tracking for Security Lattices , 2014, TODE.

[10]  Dan Boneh,et al.  Architectural support for copy and tamper resistant software , 2000, SIGP.

[11]  Emmett Witchel,et al.  InkTag: secure applications on an untrusted operating system , 2013, ASPLOS '13.

[12]  Nael B. Abu-Ghazaleh,et al.  Iso-X: A Flexible Architecture for Hardware-Managed Isolated Execution , 2014, 2014 47th Annual IEEE/ACM International Symposium on Microarchitecture.

[13]  Ying Gao,et al.  SurfNoC: a low latency and provably non-interfering approach to secure networks-on-chip , 2013, ISCA.

[14]  Ruby B. Lee,et al.  A novel cache architecture with enhanced performance and security , 2008, 2008 41st IEEE/ACM International Symposium on Microarchitecture.

[15]  Somayeh Sardashti,et al.  The gem5 simulator , 2011, CARN.

[16]  Guru Venkataramani,et al.  CC-Hunter: Uncovering Covert Timing Channels on Shared Processor Hardware , 2014, 2014 47th Annual IEEE/ACM International Symposium on Microarchitecture.

[17]  Frederic T. Chong,et al.  Sapper: a language for hardware-level security policy enforcement , 2014, ASPLOS.

[18]  Onur Aciiçmez,et al.  Cache Based Remote Timing Attack on the AES , 2007, CT-RSA.

[19]  Srinivas Devadas,et al.  A secure processor architecture for encrypted computation on untrusted programs , 2012, STC '12.

[20]  Simha Sethumadhavan,et al.  TimeWarp: Rethinking timekeeping and performance monitoring mechanisms to mitigate side-channel attacks , 2012, 2012 39th Annual International Symposium on Computer Architecture (ISCA).

[21]  Yao Wang,et al.  A Hardware Design Language for Timing-Sensitive Information-Flow Security , 2015, ASPLOS.

[22]  Christina Delimitrou,et al.  Quasar: resource-efficient and QoS-aware cluster management , 2014, ASPLOS.

[23]  Bruce Jacob,et al.  DRAMSim2: A Cycle Accurate Memory System Simulator , 2011, IEEE Computer Architecture Letters.

[24]  Jaehyuk Huh,et al.  Architectural support for secure virtualization under a vulnerable hypervisor , 2011, 2011 44th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[25]  Marcus Peinado,et al.  Controlled-Channel Attacks: Deterministic Side Channels for Untrusted Operating Systems , 2015, 2015 IEEE Symposium on Security and Privacy.

[26]  Onur Aciiçmez,et al.  An Analytical Model for Time-Driven Cache Attacks , 2007, FSE.

[27]  Gernot Heiser,et al.  Last-Level Cache Side-Channel Attacks are Practical , 2015, 2015 IEEE Symposium on Security and Privacy.

[28]  Christina Delimitrou,et al.  Paragon: QoS-aware scheduling for heterogeneous datacenters , 2013, ASPLOS '13.

[29]  Onur Aciiçmez,et al.  Predicting Secret Keys Via Branch Prediction , 2007, CT-RSA.

[30]  Frederic T. Chong,et al.  Execution leases: A hardware-supported mechanism for enforcing strong non-interference , 2009, 2009 42nd Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[31]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[32]  Brian Rogers,et al.  SecureME: a hardware-software approach to full system security , 2011, ICS '11.

[33]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[34]  Wei Hu,et al.  Information flow isolation in I2C and USB , 2011, 2011 48th ACM/EDAC/IEEE Design Automation Conference (DAC).

[35]  Jennifer Rexford,et al.  NoHype: virtualized cloud infrastructure without the virtualization , 2010, ISCA.

[36]  Ruby B. Lee,et al.  Covert and Side Channels Due to Processor Architecture , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[37]  Yao Wang,et al.  Timing channel protection for a shared memory controller , 2014, HPCA.

[38]  Danfeng Zhang,et al.  Predictive black-box mitigation of timing channels , 2010, CCS '10.

[39]  Ruby B. Lee,et al.  CloudMonatt: An architecture for security health monitoring and attestation of virtual machines in cloud computing , 2015, 2015 ACM/IEEE 42nd Annual International Symposium on Computer Architecture (ISCA).

[40]  Michael K. Reiter,et al.  HomeAlone: Co-residency Detection in the Cloud via Side-Channel Analysis , 2011, 2011 IEEE Symposium on Security and Privacy.

[41]  Daniel J. Sorin,et al.  Multi-program benchmark definition , 2015, 2015 IEEE International Symposium on Performance Analysis of Systems and Software (ISPASS).

[42]  Alexandros G. Dimakis,et al.  Understanding contention-based channels and using them for defense , 2015, 2015 IEEE 21st International Symposium on High Performance Computer Architecture (HPCA).

[43]  Yutao Liu,et al.  Architecture support for guest-transparent VM protection from untrusted hypervisor and physical attacks , 2013, 2013 IEEE 19th International Symposium on High Performance Computer Architecture (HPCA).

[44]  Colin Percival CACHE MISSING FOR FUN AND PROFIT , 2005 .

[45]  Danfeng Zhang,et al.  Language-based control and mitigation of timing channels , 2012, PLDI.

[46]  Ruby B. Lee,et al.  Scalable architectural support for trusted software , 2010, HPCA - 16 2010 The Sixteenth International Symposium on High-Performance Computer Architecture.

[47]  Adi Shamir,et al.  Efficient Cache Attacks on AES, and Countermeasures , 2010, Journal of Cryptology.

[48]  Ruby B. Lee,et al.  New cache designs for thwarting software cache-based side channel attacks , 2007, ISCA '07.

[49]  Ruby B. Lee,et al.  Random Fill Cache Architecture , 2014, 2014 47th Annual IEEE/ACM International Symposium on Microarchitecture.

[50]  R. Boivie SecureBlue + + : CPU Support for Secure Execution , 2011 .

[51]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[52]  Frederic T. Chong,et al.  Complete information flow tracking from the gates up , 2009, ASPLOS.

[53]  Gernot Heiser,et al.  CATalyst: Defeating last-level cache side channel attacks in cloud computing , 2016, 2016 IEEE International Symposium on High Performance Computer Architecture (HPCA).

[54]  Stephan Krenn,et al.  Cache Games -- Bringing Access-Based Cache Attacks on AES to Practice , 2011, 2011 IEEE Symposium on Security and Privacy.

[55]  Srinivas Devadas,et al.  Suppressing the Oblivious RAM timing channel while making information leakage and program efficiency trade-offs , 2014, 2014 IEEE 20th International Symposium on High Performance Computer Architecture (HPCA).

[56]  Ramakrishna Gummadi,et al.  Determinating timing channels in compute clouds , 2010, CCSW '10.

[57]  Rajeev Balasubramonian,et al.  Avoiding information leakage in the memory controller with fixed service policies , 2015, 2015 48th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO).

[58]  Andrew Ferraiuolo,et al.  Lattice priority scheduling: Low-overhead timing-channel protection for a shared memory controller , 2014, 2016 IEEE International Symposium on High Performance Computer Architecture (HPCA).

[59]  Danfeng Zhang,et al.  Predictive mitigation of timing channels in interactive systems , 2011, CCS '11.

[60]  Anoop Gupta,et al.  The SPLASH-2 programs: characterization and methodological considerations , 1995, ISCA.

[61]  Wei Hu,et al.  Theoretical analysis of gate level information flow tracking , 2010, Design Automation Conference.

[62]  G. Edward Suh,et al.  Dynamic Partitioning of Shared Cache Memory , 2004, The Journal of Supercomputing.

[63]  Ruby B. Lee,et al.  Architectural support for hypervisor-secure virtualization , 2012, ASPLOS XVII.

[64]  G. Edward Suh,et al.  Efficient Timing Channel Protection for On-Chip Networks , 2012, 2012 IEEE/ACM Sixth International Symposium on Networks-on-Chip.

[65]  Vikram S. Adve,et al.  Virtual ghost: protecting applications from hostile operating systems , 2014, ASPLOS.

[66]  Geoffrey Smith,et al.  Probabilistic noninterference in a concurrent language , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[67]  Daniel J. Bernstein,et al.  Cache-timing attacks on AES , 2005 .

[68]  Frederic T. Chong,et al.  Crafting a usable microkernel, processor, and I/O system with strict and provable information flow security , 2011, 2011 38th Annual International Symposium on Computer Architecture (ISCA).